From: Mark Wooding Date: Tue, 6 Mar 2012 00:01:11 +0000 (+0000) Subject: Merge branch 'master' into emergency X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/commitdiff_plain/f513127acd3ccf2f6ec695ba5d9396739bd21aba?hp=-c Merge branch 'master' into emergency * master: functions.m4: Write the netclass ids to the trace output. bookends.m4: If debugging, dump the final tables. Determine forwarding and reverse-path filtering from host definitions. Overhaul address classification. local.m4: Promote the NTP server configuration to a proper variable. Renumber the diversions. fixup! WIP on emergency: 7a108d1 Makefile: New target for tracking diversions. Makefile: New target for tracking diversions. Makefile, base.m4: Inject the target hostname into the generated script. Semantic conflict: The variable `if_dmz' is no longer set, so just hardwire the interface name. --- f513127acd3ccf2f6ec695ba5d9396739bd21aba diff --combined numbers.m4 index 4d111da,d5ab0c1..c94ae5f --- a/numbers.m4 +++ b/numbers.m4 @@@ -21,7 -21,7 +21,7 @@@ ### along with this program; if not, write to the Free Software Foundation, ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - m4_divert(25)m4_dnl + m4_divert(24)m4_dnl ###-------------------------------------------------------------------------- ### Magic numbers. @@@ -49,7 -49,6 +49,7 @@@ defport rsync 87 defport imaps 993 defport h323 1720 defport squid 3128 +defport rdesktop 3389 defport tripe 4070 defport siplo 5000 defport siphi 5100 diff --combined vampire.m4 index 2cf1a13,fa79ee2..44eef03 --- a/vampire.m4 +++ b/vampire.m4 @@@ -22,38 -22,15 +22,16 @@@ ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ###-------------------------------------------------------------------------- - ### Config settings. - - ## This router is involved in a routing asymmetry. - setconf(rp_filter, 0) - setconf(log_martians, 0) - - ###-------------------------------------------------------------------------- - ### Network interfaces. - - m4_divert(44)m4_dnl - ## Interface definitions. - if_dmz=eth0.0 - if_trusted=eth0.1 - if_safe=$if_dmz,$if_trusted - if_untrusted=eth0.3 - if_vpn=vpn-+ - if_iodine=dns+ - if_its_mz=$if_dmz,$if_trusted - if_its_pi=$if_dmz,$if_trusted - - m4_divert(-1) - ###-------------------------------------------------------------------------- ### vampire-specific rules. - m4_divert(82)m4_dnl + m4_divert(86)m4_dnl ## Externally visible services. allowservices inbound tcp \ finger ident \ dns iodine \ ssh \ smtp submission \ + rdesktop \ gnutella_svc \ ftp ftp_data \ rsync \ @@@ -93,31 -70,5 +71,31 @@@ run iptables -A OUTPUT -m multiport dnsresolver inbound ntpclient inbound $ntp_servers +## NAT for RFC1918 addresses. +for i in PREROUTING OUTPUT POSTROUTING; do + run iptables -t nat -P $i ACCEPT 2>/dev/null || : + run iptables -t nat -F $i 2>/dev/null || : +done +run iptables -t nat -F +run iptables -t nat -X + +run iptables -t nat -N outbound - run iptables -t nat -A outbound -j RETURN ! -o $if_dmz ++run iptables -t nat -A outbound -j RETURN ! -o eth0.0 +run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23 +run iptables -t nat -A outbound -j RETURN -d 62.49.204.144/28 +run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23 +run iptables -t nat -A outbound -j SNAT --to-source 62.49.204.158 +run iptables -t nat -A POSTROUTING -j outbound + +## Set up NAT protocol helpers. In particular, SIP needs some special +## twiddling. +run modprobe nf_conntrack_sip \ + ports=5060 \ + sip_direct_signalling=0 \ + sip_direct_media=0 +for p in ftp sip h323; do + run modprobe nf_nat_$p +done + m4_divert(-1) ###----- That's all, folks --------------------------------------------------